Forum Discussion
drrnmac
Nov 19, 2019Copper Contributor
RDP attempts with Authentication
We're currently receiving failed RDP logon attempts on our domain controllers from a trusted domain running Azure ATP, our colleagues managing the other domain have suggested this is expected behavio...
EliOfek
Microsoft
drrnmac , No, this is not expected.
The NNR using RDP is not doing any authentication, it sends a fixed payload to the RDP port which causes the machine to report back meta data about it.
at this point the session is ended from AATP's side before reaching to the authentication phase.
Also, for NNR - no account is used at all. certainly not an administrator account.
Even for AD access or lateral movement, we use (if configured correctly) a low privileged read only account.
If you get RDP auths using Administrator, I suggest to investigate, as I don't believe those are initiated from AATP.